SMTP Pentest Guide
Back to Email Authentication Attacks

DKIM-DNS Inconsistencies

This attack exploits inconsistencies between how DKIM processes selectors and how DNS handles special characters in queries. By manipulating the DKIM selector field, attackers can trick the receiving server into verifying the signature with the wrong public key.

Attack Summary: Exploiting how DKIM and DNS handle special characters differently to redirect DKIM verification to an attacker-controlled domain.

Background: DKIM Verification Process

DKIM (DomainKeys Identified Mail) is an email authentication method that allows a sender to associate a domain name with an email message. This is done by adding a digital signature to the email headers. The process works as follows:

  1. The sending server signs the email with its private key and includes the signature in a DKIM-Signature header
  2. The DKIM-Signature header includes a "d" parameter (domain) and an "s" parameter (selector)
  3. The receiving server constructs a DNS query in the format "s._domainkey.d" to retrieve the public key
  4. The receiving server uses this public key to verify the signature

For example, if d=example.com and s=selector1, the DNS query would be "selector1._domainkey.example.com".

Attack Methodology

This attack exploits the inconsistency between how DKIM processes the selector field and how DNS handles special characters in queries. The key insight is that DNS treats certain characters, like the null byte (\x00), as string terminators, while DKIM might process the entire selector string.

Null Byte Injection Attack
Exploiting null byte handling differences between DKIM and DNS

In this attack, the attacker injects a null byte (\x00) into the DKIM selector field to manipulate the DNS query.

Attack Example

Using null byte in DKIM selector

HELO attacker.com\nMAIL FROM: <any@attacker.com>\nRCPT TO: <victim@victim.com>\nDATA\nDKIM-Signature: v=1; a=rsa-sha256; d=bank.com; s=attack.com.\x00.any; ...\nFrom: <sec@bank.com>\nTo: <victim@victim.com>\nSubject: Security Alert\n\nDear Customer,\nWe are writing to inform you that...\n.\n
Explanation: In this example, the attacker sets the DKIM domain (d) to 'bank.com' but uses a manipulated selector (s) containing 'attack.com.\x00.any'. When the receiving server constructs the DNS query, it becomes 'attack.com.\x00.any._domainkey.bank.com'. However, DNS treats the null byte as a string terminator, so it only queries 'attack.com', which the attacker controls.

How It Works

  1. Attacker creates an email with a DKIM-Signature header
  2. The "d" parameter is set to the target domain (bank.com)
  3. The "s" parameter is set to a string containing the attacker's domain followed by a null byte and additional characters (attack.com.\x00.any)
  4. The attacker signs the email with their private key
  5. When the receiving server processes the DKIM signature, it constructs a DNS query: attack.com.\x00.any._domainkey.bank.com
  6. DNS treats the null byte as a string terminator, so it only queries "attack.com"
  7. The DNS server for attack.com (controlled by the attacker) returns a public key that matches the signature
  8. The DKIM verification passes, and DMARC alignment checks pass because the "d" parameter (bank.com) matches the From header domain
  9. The email appears to be legitimately from bank.com, even though it was signed with the attacker's key
Other Character Injection Variants
Exploiting other special character handling differences

Beyond null bytes, attackers can exploit other special characters that are handled differently by DKIM and DNS.

Alternative Attack Examples

Using other special characters in DKIM selector

# Example 1: Using dots\nDKIM-Signature: v=1; a=rsa-sha256; d=bank.com; s=attack.com...any; ...\n\n# Example 2: Using domain labels\nDKIM-Signature: v=1; a=rsa-sha256; d=bank.com; s=attack.com.any; ...\n\n# Example 3: Using encoded characters\nDKIM-Signature: v=1; a=rsa-sha256; d=bank.com; s=attack.com%00any; ...
Explanation: These examples show different ways to manipulate the DKIM selector field to redirect the DNS query. The effectiveness depends on how the specific email server handles these special characters and how DNS processes them.

Variations in Implementation

The success of these attacks depends on specific implementations of DKIM and DNS. Some factors that affect vulnerability include:

  • How the email server sanitizes DKIM selector values
  • How DNS libraries handle special characters
  • Whether the server validates the relationship between the selector and domain
  • How DKIM verification results are communicated to DMARC

Impact

This attack allows attackers to:

  • Bypass DKIM verification by redirecting DNS queries to attacker-controlled domains
  • Create emails that appear to be DKIM-verified from legitimate domains
  • Conduct sophisticated phishing attacks that pass email authentication checks
  • Potentially bypass security systems that rely on DKIM for email authentication

Detection

Organizations can detect these attacks by:

  • Inspecting DKIM selectors for unusual characters or patterns
  • Monitoring DNS queries made during DKIM verification
  • Implementing additional validation of DKIM parameters
  • Using email security solutions that can detect these inconsistencies

Mitigation

To protect against these attacks, organizations should:

  • Sanitize DKIM selectors: Email servers should validate and sanitize DKIM selector values before processing
  • Implement proper DNS handling: Ensure DNS libraries properly handle special characters
  • Validate DKIM parameters: Implement additional checks to ensure the integrity of DKIM parameters
  • Use strict DMARC policies: Implement "p=reject" in DMARC records to reject emails that fail authentication
  • Keep email servers updated: Apply security patches that address these vulnerabilities

Testing

Security professionals can test for this vulnerability using the following approach:

  1. Set up a test email server with the ability to manipulate DKIM headers
  2. Create test emails with various manipulated DKIM selectors
  3. Send these emails to test accounts at different email providers
  4. Check if the emails pass DKIM and DMARC authentication
  5. Use the "espoofer" tool to automate testing for these vulnerabilities

References

  • Chen, J., Duan, H., Weaver, N., Paxson, V., & Jiang, J. (2021). "Measuring and Mitigating Email Sender Spoofing Attacks." In Proceedings of the 30th USENIX Security Symposium.
  • RFC 6376: "DomainKeys Identified Mail (DKIM) Signatures." https://tools.ietf.org/html/rfc6376
  • Shen, Y., Mariconti, E., Vervier, P. A., & Stringhini, G. (2018). "Tiresias: Predicting Security Events Through Deep Learning." In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.
  • CVE-2021-28958: "DKIM Verification Bypass via Null Byte Injection." https://nvd.nist.gov/vuln/detail/CVE-2021-28958
  • espoofer: "Email Spoofing Testing Tool." https://github.com/chenjj/espoofer
Previous: SPF-DMARC InconsistenciesNext: Authentication Results Injection